GDPR Privacy Policy Template

The main focus of the General Data Protection Regulation (GDPR) is the protection of personal data and digital privacy.

Because of this, your Privacy Policy is going to be an important part of your GDPR compliance plan.

Here's what you need to know about updating your current Privacy Policy, having adequate Privacy Notices and getting your users to consent to your Policy terms in accordance with the GDPR.

What's the GDPR

What's the GDPR

The GDPR is a new legalframework from the EU that takes effect on May 25, 2018. It's an updated version of the Data Protection Directive.

This law is designed to accomplish two main things:

  1. Unify the current data protection privacy laws throughout the EU, and
  2. Enhance the rights of citizens of the EU to protect their personal information

Who the GDPR Applies to

Who the GDPR Applies to

Regardless of where in the world your business is located, the GDPR applies to any business that does one or both of the following:

  • Makes its products or services available to people located in the EU
  • Gathers personal information from people located in the EU

This means that a business located in Canada that only collects phone numbers for text message marketing to people in the EU will be required to comply with the GDPR.

What the GDPR Requires

What the GDPR Requires

While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well.

Each role has specific requirements that you'll also need to be aware of.

For example, data controllers must now conduct Data Privacy Impact Assessments (DPIAs) and add more thorough methods of obtaining consent for collecting data.

Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data.

In some instances you may be required to appoint a Data Protection Officer (DPO) to oversee your data security strategy and GDPR compliance.

The GDPR requires that users are provided with thorough information about how their personal data is processed.

According to Article 12 of the GDPR, you need to let people know about how you process personal data in the following ways:

  • Concisely
  • Transparently
  • Intelligibly
  • Easily accessible
  • In clear and plain language
  • Free of charge

This can be accomplished with a good Privacy Policy and privacy notices.

How to Comply with GDPR

How to Comply with GDPR

This article is only going to cover the Privacy Policy, privacy notice and consent aspects of GDPR compliance.

Remember that under the GDPR, you need to communicate your data collection and processing procedures in a way that's concise, transparent, intelligible and in clear and plain language.

The GDPR now requires you to disclose more information in your Privacy Policy. However, it also requires you to do it in a more concise and clear way.

By having an informative, detailed, yet user-friendly Privacy Policy as well as concise summarized Privacy Notices you can effectively satisfy the requirements of the GDPR.

Have a Privacy Policy

Have a Privacy Policy

Data protection laws around the world require a Privacy Policy when you collect or use personal information from your users, so chances are you already have this agreement in place on your website.

A Privacy Policy is where you let your users know:

  • What personal information you collect
  • How and why you collect it
  • How you use it
  • How you secure it
  • Any third parties with access to it
  • If you use cookies
  • How users can control any aspects of this

Privacy Policies tend to be long, dense legal agreements with a lot of detailed information. Your users might feel intimidated by page after page of technical information, which is what the GDPR is working to avoid.

strong>Update your Privacy Policy to be GDPR-compliant by removing as much legalese as possible and only using clear, simple language that your average reader will be likely to understand.

Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.

Note that each point doesn't have to be a separate clause. As long as the information is somewhere in your Policy, it will work.

1. Who your Data Controller is

The data controller will likely be your business, unless your business operates as a data processor for other companies.

CheckMarket GDPR Privacy Policy: Data Controller clause for GDPR requirements

2. Contact information for the Data Controller

Chances are your Privacy Policy already includes contact information. If not, you need to add this information in right away.

US Department of State Privacy Policy: Contact Information clause

If you have a Data Protection Officer, add in specific contact information for your users to contact this person directly with issues related to privacy.

CheckMark's GDPR Privacy Policy: Data Protection Officer contact information

3. Your purposes for collecting the data

Your users need to know why you're collecting and using their personal data. Be as specific as possible here when disclosing your practices.

Novartis Privacy Policy: What Personal Data do we process and for which purpose clause

4. Inform users of the 8 rights they have have under the GDPR

Most of these rights involve things like the right to access data, request changes, deletions and corrections.

For example, if you collect email addresses, give users a chance to see what one/s you have on file, give them a way to delete their email address and allow them to update or change it.

Some businesses choose to make an organized list of each of the rights. Others work each right into a paragraph or several paragraphs. As long as each right is somewhere within your Privacy Policy in an intuitive section, you'll be compliant.

Here's how Twitter discloses some of the user rights in an organized section in its Privacy Policy. Note how three of the rights are covered in one sub-section, while another right is covered in a separate one. There are other rights that are addressed elsewhere in the Privacy Policy, as well:

Twitter Privacy Policy Chapter 4 excerpt: GDPR rights: Object, Restrict or Withdraw Consent and Portability clauses

5. Whether you use data to make automated decisions

If you use personal data to make automated decisions - such as for credit scoring, loan screening, profiling users or making employment decisions - you need to disclose this to users.

You can let users know that you don't do this if you want, but it's not required.

Towergate fair Processing Notice: Your Rights section: Automated decision-making: GDPR

6. Whether you transfer data internationally

If your business transfers personal data to a different country or international organization, you need to let users know this.

Include one of the following as well:

  • Whether your transfer falls under a legal framework or decision, such as the EU-US Privacy Shield seen in the example below, or
  • An explanation of the "suitable safeguards" you have in place for the transfer (such as binding corporate rules, contractual provisions, etc.). Let your users know how they can go about requesting a copy of your safeguard information.

Eventbrite Privacy Policy: International Privacy Laws clause including Privacy Shield

7. What's your legal basis for processing data

Under the GDPR, you need to have a lawful basis for processing any personal data. There are six available lawful bases, and each piece of data you process needs to fall under one of the six categories.

The most common two would be:

  • The subject has given consent to have data processed for the specific purpose/s
  • Processing is necessary for pursuing a legitimate interest

Make sure to include information in your Privacy Policy about what legitimate interest you're processing data for.

This requirement will likely be met through a combination of your clauses that cover what personal data you're collecting and how you're using the data.

For example, you may collect phone numbers for communicating with users, use cookies to remember user login information, and collect payment and financial information like credit card numbers for processing payments.

CheckMarket GDPR Privacy Policy: Collection of User Data clause

You should always get consent for the data you wish to collect. Not only will that meet the requirement of a legal basis to collect, but it's also a general requirement under the GDPR.

Getting Consent

Getting Consent

As with all of your website legal agreements, you're going to need to get your users to agree to your Privacy Policy and provide consent for you to collect their personal information.

Now that you have an enhanced Privacy Policy that complies with the GDPR, you're going to have to meet the enhanced consent requirements as well.

Before you collect basic personal information (email addresses, names, financial information, etc.), you'll need to get clear, unambiguous affirmative consent.

Before collecting sensitive personal information (sexual orientation, health data, political/religious views, etc.), you'll need to get explicit consent.

The best way to satisfy this requirement is to always use checkboxes and clickwrap. Make your users click a box next to a statement that says by clicking, the user is agreeing to your Privacy Policy terms. Link to your Privacy Policy here, as well.

Blackmill store registration: Clickwrap with ToS, Privacy and Terms of Supply

There's something else you can do satisfy the enhanced requirements under the GDPR: Provide Privacy Notices.

Have Privacy Notices

Have a Privacy Notices

A Privacy Notice is a simple yet informative notice that lets a user know why you're collecting data. These notices can be added to places on your website or mobile app where you're requesting to collect user data, such as at a field where a user can enter an email address.

For example, uSwitch asks users for an email address and a phone number - both of which are considered to be protected personal information under the GDPR.

Next to the fields where this information is requested, there are small question mark icons that users can click for more information via a Privacy Notice.

uSwitch data collection form with Privacy Notice icons highlighted

When a user clicks on the question mark, he's presented with a short notice that lets users know - in clear, basic language - why that piece of information is being requested. Here, it's so that uSwitch can email a copy of comparison results to the user.

uSwitch data collection form with email field Privacy Notice

This type of notice is referred to as a just-in-time notice.

These notices don't negate the need for a full, accessible Privacy Policy.

uSwitch still provides a footer link to its Privacy Policy.

uSwitch Privacy Policy link in website footer

The full Privacy Policy includes information about collecting email addresses to provide price comparisons. However, you can see how it's included with a lot of other information and is rather lengthy and dense.

uSwitch Privacy Policy: Information You Provide clause with email address usage noted

It's easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way.

Consider linking your full Privacy Policy within your Privacy Notice for additional transparency and user-friendly formatting.

Examples of GDPR-Compliant Privacy Policies

Here are a couple of examples of Privacy Policies that would meet GDPR requirements by being user-friendly and informative.

The Mouseflow Privacy Policy starts out as most standard Privacy Policies do, with a clause about what information is collected.

Mouseflow GDPR Privacy Policy: Information We Collect clause

It continues on with a clause that covers how the information is used.

Mouseflow GDPR Privacy Policy: How We Use Your Information clause

However, you can start to see more transparency than most Privacy Policies when you get to the section about how Mouseflow shares information.

This section is broken down into two types of information that will be shared:

  • Personally identifiable information, and
  • Non-personally identifiable information

This is important because the GDPR and other privacy laws only apply to personally identifiable information.

Creating this distinction in the Privacy Policy is good for legal compliance as well as clarity for users. While most Privacy Policies currently don't have this distinction, the increase in privacy laws that is a growing trend will likely require this distinction eventually.

Mouseflow GDPR Privacy Policy: How We Share Your Information clause

The Privacy Policy continues with fairly standard clauses including:

  • How information is stored and processed
  • How information is protected

Mouseflow GDPR Privacy Policy: How We Store, Process and Protect Your Information clauses

Mouseflow points out specifically for EU clients that it complies with the EU Data Protection Directive requirements.

Mouseflow GDPR Privacy Policy: EU Clients clause

Another successful Privacy Policy example can be seen with Pipedrive.

Pipedrive is very specific with disclosing how it uses information it collects. This helps satisfy the lawful basis and legitimate interest requirement of the GDPR.

You can see that it includes operations, improvements and communications - all of which are legitimate business purposes.

Pipedrive GDPR Privacy Policy: How We Use Information We Collect clause

Pipedrive includes a section about user choices when it comes to user data. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR.

Pipedrive GDPR Privacy Policy: Access, Correction, Deletion clause

Another important part of the GDPR is that businesses cannot retain data beyond a reasonable time. To address this, Pipedrive's Privacy Policy includes a Data Retention clause that sets forth how long it keeps its collected data.

Pipedrive GDPR Privacy Policy: Data Retention clause

Also in line with the GDPR, Pipedrive's Privacy Policy includes a clause about Data Controllers and Data Processors, disclosing that it isn't a controller nor a processor of data. It does so in a way that defines to users what a controller and processor would each do, which is helpful.

Pipedrive GDPR Privacy Policy: Data Controller and Data Processor clause

To summarize:

  • Edit the language of your Privacy Policy to be easy clear, concise and easy for almost anyone to understand
  • Update your Privacy Policy to include what's required under the GDPR (including user rights)
  • Use clickwrap checkboxes to get clear, undoubted consent before collecting any personal data
  • Add Privacy Notices in places where you're asking for consent to collect data to help explain why you're asking for the data and consent